If you have upgraded your Active Directory domain to Windows Server 2012 R2 and use the Splunk App for Active Directory, you may have noticed that the replication statistics script doesn’t work the same way as on older versions of Windows. Specifically, the ad-repl-stats.ps1 script takes forever to run and consumes just about as much memory as you can give it. This is because of a change in the implementation of the System.DirectoryServices.ActiveDirectory API that Microsoft provides. In prior releases of Windows Server, the API was lazy – data was only filled in within the objects when the data was requested. In Windows Server 2012 R2, those same objects filled in the data at instantiation. When we read the replication status object, all the replicated objects were loaded immediately, causing a major performance impact.
Fortunately, we’ve got all the facilities to correct this. As part of the PowerShell v3 release, we also got our hands on some new PowerShell cmdlets for managing Active Directory. These are contained in the RSAT-ADDS Windows Feature (which you will need to install on each domain controller). I created a new script called replication-stats.ps1 with the following contents:
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
$src_host = Get-ADObject -Filter * `
-SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
-SearchScope Base -Properties dNSHostName
New-Object PSObject -Property @{
LastAttemptedSync = $_.LastReplicationAttempt
LastSuccessfulSync = $_.LastReplicationSuccess
Result = $_.LastReplicationResult
transport = $_.IntersiteTransportType
naming_context = $_.Partition
type = "ReplicationEvent"
usn = $_.LastChangeUsn
src_host = $src_host.dNSHostName
}
}
The primary source of information is the Get-ADReplicationPartnerMetaData, which provides details of the replication partnerships on the current host. We convert the partner into the source host using Get-ADObject. Now the output has exactly the same fields as the old ad-repl-stat.ps1 script. To run it, we need to schedule it using our SA-ModularInput-PowerShell add-on (which you will also need to install on each domain controller). Switch the scripted input for ad-repl-stat.ps1 for the following within inputs.conf:
[powershell://Replication-Stats] script = & "$SplunkHome\etc\apps\ad-repl-stats\bin\replication-stats.ps1" schedule = 30 */5 * ? * * index = msad source = Powershell sourcetype = MSAD:NT6:Replication disabled = false
Once you push out the change (including the required SA-ModularInput-PowerShell) and restart the forwarder (if you are installing SA-ModularInput-PowerShell), you will get the replication data flowing within five minutes. This will enable the replication status report to work for your Windows Server 2012 R2 servers again.
This change will be built into a future version of the Splunk App for Active Directory; for those who need it now, my advice is to create a new app with just this data input in it. Disable the ad-repl-stat.ps1 scripted input in the regular TA as well. This will enable a smooth upgrade when this data input is integrated into the Splunk App for Active Directory.